Secure Easy VPN and IOS issue.

Hi,

I have an easy vpn set up on cisco 871 router as remote client, Cisco ASA firewall as vpn server. Everything works fine, except when i change/upgrade the IOS from 12.4.4T7(ED)to 12.4.20T1(ED); ping sourced from inside interface of 871 to internet fails ?? Just wanted to check if this is an IOS issue or I need to add any specific configuration for new IOS version ?

Re: Secure Easy VPN and IOS issue.

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.

Note: This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.

Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:

router(config)#crypto isakmp key cisco123 address

172.22.1.164 no-xauth

In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to headend because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:

Re: Secure Easy VPN and IOS issue.

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.

Note: This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.

Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:

router(config)#crypto isakmp key cisco123 address

172.22.1.164 no-xauth

In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to headend because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:

Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
view more

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more